Attackers recently used social engineering to convince mobile device users to hand over their International Mobile Equipment Identity (IMEI) numbers. I'm assuming this should never be used as an authentication factor, correct? Is it good practice to advise users/customers to never give out their IMEI numbers?

By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

There are two reasons why an organization wouldn’t use an International Mobile Equipment Identity (IMEI) when considering possible mobile authenticators. The first is that if the IMEI authentication number is compromised, which is possible using special tools, the IMEI can be easily ported to a stolen telephone that allows the rogue telephone operator to take advantage of the services the original device had access to, such as SMS authentication codes.

More importantly, an IMEI is tied to a device, not an individual. If a user loses his or her unlocked telephone but doesn’t report it, anyone who picks up the telephone can use its applications. Identities should be technology-neutral, not tied to a device.

To answer the second question, users and/or customers should never give out their IMEI numbers, or any other mobile-identifying information, unless the individual has initiated a call with his or her provider.

0 comments

E-Mail

Username / Password

Password

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy